diff options
author | morpheus65535 <[email protected]> | 2023-09-18 11:59:45 -0400 |
---|---|---|
committer | morpheus65535 <[email protected]> | 2023-09-18 11:59:45 -0400 |
commit | 17add7fbb3ae1919a40d505470d499d46df9ae6b (patch) | |
tree | 608ceb0a69072b72159d4b22232ed03dcd8ac882 | |
parent | aa0af3f601bad55294ec241009293c60bbb3dce3 (diff) | |
download | bazarr-17add7fbb3ae1919a40d505470d499d46df9ae6b.tar.gz bazarr-17add7fbb3ae1919a40d505470d499d46df9ae6b.zip |
Fixed some code to prevent arbitrary file read and blind SSRF.
-rw-r--r-- | bazarr/app/ui.py | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/bazarr/app/ui.py b/bazarr/app/ui.py index 77708a8c5..85d820bd1 100644 --- a/bazarr/app/ui.py +++ b/bazarr/app/ui.py @@ -143,13 +143,22 @@ def movies_images(url): @check_login @ui_bp.route('/system/backup/download/<path:filename>', methods=['GET']) def backup_download(filename): - return send_file(os.path.join(settings.backup.folder, filename), max_age=0, as_attachment=True) + fullpath = os.path.normpath(os.path.join(settings.backup.folder, filename)) + if not fullpath.startswith(settings.backup.folder): + return '', 404 + else: + return send_file(fullpath, max_age=0, as_attachment=True) @ui_bp.route('/api/swaggerui/static/<path:filename>', methods=['GET']) def swaggerui_static(filename): - return send_file(os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx', - 'static', filename)) + basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx', + 'static') + fullpath = os.path.join(basepath, filename) + if not fullpath.startswith(basepath): + return '', 404 + else: + return send_file(fullpath) def configured(): @@ -160,6 +169,8 @@ def configured(): @ui_bp.route('/test', methods=['GET']) @ui_bp.route('/test/<protocol>/<path:url>', methods=['GET']) def proxy(protocol, url): + if protocol.lower not in ['http', 'https']: + return dict(status=False, error='Unsupported protocol') url = protocol + '://' + unquote(url) params = request.args try: |